Skip to content

Add refresh token rotation for JWT sessions #214

Description

@robertocarlous

Summary

Currently JWT sessions have a fixed expiry with no refresh mechanism. Users are logged out abruptly and must re-authenticate with their Stellar keypair, hurting UX.

Proposed Solution

  • Issue a short-lived access token (15 min) + a long-lived refresh token (7 days)
  • Store refresh token hash in the Session table
  • Add POST /api/auth/refresh endpoint
  • Rotate refresh token on each use (single-use)
  • Revoke all refresh tokens on logout

Acceptance Criteria

  • POST /api/auth/refresh returns new access + refresh token pair
  • Old refresh token is invalidated after rotation
  • Logout revokes both tokens
  • Unit tests cover rotation and revocation
  • .env.example documents REFRESH_TOKEN_SECRET and REFRESH_TOKEN_TTL

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programenhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions